November 2012 Archives

Very occasionally a conference speaker really does transform your thinking

| No Comments | No TrackBacks
| More

Yesterday I attended an event at which a speaker provided an insight which transformed my thinking. The event was under the Chatham House Rule so I regret that I cannot say who or where. The insight was that we should stop thinking about monitoring customer transactions for fraud or to collect personal information but to look for changes in behaviour. These are likely to indicate the need for action to retain customers more often than potential fraud. But they are even more likely to indicate opportunities, including those which might not necessarily fit the current business models. This means that in a well run organisation the security, anti-fraud, data protection and regulatory compliance teams and the marketing, business development, customer service and support teams should be allies not enemies.   

Think about the implications. Think about them long and hard. They are profound. They are all too often lost by novophiliac professionals with tunnel vision.

I will be asking my successor at the Digital Policy Alliance to organise a round table or two to look at the implications  - and to charge non-members an arm and a leg so as to get them to take the need to join and work together to improve confidence in the online world a lot more seriously - funding participation from marketing, not public affairs, regulatory or security budgets.  If you are interested, do not wait to be invited  to join. I anticipate that this will be one of those topics where the early joiners will wish to move fast without bothering to invite anyone other than their strategic partners. Hence my reason for blogging before any formal invitation goes out. If you are interested, say so when you contact them.     

Do the e-Commerce Directive and "innnocent carrier" status still have any meaning?

| 2 Comments | No TrackBacks
| More
Publicity for the recent Austrian case regarding TOR  caused me to ponder whether the e-commerce directive still has any meaning. One the one hand we have market leaders touting for business across the EU without giving any physical contact details (how do you contact Paypal otehr than over the Internet?) on the other we have law cases (under both Common and Roman law) which appear to void the claims to innocent carrier status of those who know the status of that which they transmit (because their business models require this). 

Good Data for Good Government - and plans for the Universal Credit

| No Comments | No TrackBacks
| More
Last night Stephen Timms addressed the IT Chapter of the Institute of Chartered Accountants. His audience was a mix of IT and Accounting Professionals, including members of the Chartered Institute of Taxation. Readers of this blog will know my concerns over the implementation plans for the Universal Credit but I have focussed on those of DWP. In the course of his speech Stephen, as a former Financial Secretary to the Treasury and sometime IT professional, took an equally cool look at the HMRC side of the project: the plans for Real Time Information on PAYE and their effect on small firms and their willingness to employ staff who might well be on the margins of employment - those who the Universal Credit is intended to help into the world of work.

 

I do not agree with all that he said. You would be surprised if I did. But I do recommend that you read his word in full (see below) particularly his comments on where the blame should lie - with those who told ministers they could deliver the impossible (that is my rewording of what he said more politely).  I personally believe that applies even more to the external consultants and suppliers paid to supplement the skills of officials who knew they were out of their depth.   

 

But that is enough from me. Thank you to Stephen for permission to reproduce his words in full.


Enhanced by Zemanta

Midata, their data or your data? A few big data questions - then the killer.

| No Comments | No TrackBacks
| More

On Monday the  Consumer Affairs Minister will announce powers for us to request our personal data, including transactions, from business so as to better manage our affairs. I find it odd that none of the three sectors selected for participation is represented in the DWP IDAP trials (unless you count the US Phone Giant Verizon - which does not have much of a UK footprint anyway). 

So who has the IPR in that data, us or the supplier?

What duty of care to they owe to us if an impersonator uses it to collect sufficient to FOG (fraudulently obtain genuine) trusted credentials in our name under the IDAP programme

What is the liability of HMG under the e-Signatures regulation if those credentials are used in support of, for example, cross-border benefit fraud? 

In this context I note that there is no BIS minister among the named signatories to the new Fighting Fraud Together strategy. I suspect that this well-intentioned BIS consumer "protection" initiative -

like our regulatory regimes designed by compliance officers as job creation schemes for compliance officers and -

our tax regimes designed by lawyers and accountants to create work for lawyers and accountant -

will further help serve to drive on-line business off-shore - into the arms of those who are outside our regulatory regimes and pay no tax in the UK.          

There appears to be no forum for joined up, well-informed debate on such issues other than the Digital Policy Alliance (the relaunch of EURIM being undertaken by my successor). 

I am now only an advisor but on Monday I am due to take part in a teleconference on forward plans to look at issues that are now urgent, as well as important, if the UK is to have an on-line future as a base for wealth creating and tax paying businesses and jobs - not just as a milch cow for those based overseas.

I will argue that all those who wish to be good (and profitable) UK business residents (paying a "fair", not just "legal" tax contribution) should be encouraged to join the DPA to help lead the relevant working groups, alongside those who cannot realistically leave the UK, who like John Lewis, claim they are being discriminated against .

[Unfortunately that is not an easy argument for US-based multinationals whose policies are driven (ultimately) by quarterly briefings for the fund-managers who hold most of their shares. In one of my previous blogs on the issues of trust I responded to a contribution from the Head of Risk at one of the world's largest fund managers on why good citizenship makes good long run sense for those who can afford to see beyond the quarterly review. One of the nations I covered (during my five years as corporate planner for a UK based high tech multi-national) cut its corporation tax bill to us by 75% after I explained that the numbers did not add up with regard to the new factory we had long been planning in a marginal constituency. The following year we built the factory, quadrupling our local employee base. That Government's overall tax take, including  local and export sales taxes as well as property, payroll and incomes taxes, then went up to well above what is was before the cut in headline corporation tax. They, like many other nations, but unlike HMG, took a long term holistic view. So did we.].      

Hence my reasoning that we need BOTH the multi-national based overseas and the locally based players groups to engage in well-informed and constructive debate and (perhaps more important) joined up political campaigning, in order to ensure that the UK has a future as an outward looking part of a global economy - not just part of an over-taxed, over-regulated, introverted, protectionist, EU.

That does not mean I believe the UK should necessarily leave the EU. It is "merely" that turning round debate in Brussels (to the benfit of all Europeans) as well as in the UK (to the benfiot of all Britons) requires a commitment (including to work with allies in other members states) that is lacking.

I do hope that my successor will be more successful that I was. I also hasten to add that I am now only an advisor - and he is quite adept at telling me, politely, to sod off when he thinks I am talking tosh.

Does the DWP IDAP announcement mean HMG has begun to recognise the nature of the ID market-place?

| 3 Comments | No TrackBacks
| More

The DWP press release announcing the first seven participants in its Identity Assurance Programme should be read in full: for what it does not say as much as for what it does. The list is almost certainly not that which those responsible for Government ID policy (leaving aside the question of who is repsonsible and what the policy is) would have wished. I suspect the missing banks, social media, on-line retailers and high street names have taken the view that the business on offer from HMG (let alone a from modest 18 month non-exclusive trial with DWP) is not worth the cost (including diversion of effort from mainstream paying business), let alone the reputational risk.

That said, the announcement appears to contain an overdue (albeit perhaps reluctant) recognition of reality: that the world of identity systems is a mature marketplace. Unfortunately those who have issued hundreds of millions of electronic IDs (some of which are trusted for sizable financial transactions and/or personal or corporate risks) are not interested in working with HMG (including DWP) other than on their terms. Meanwhile would-be new players are not interested doing so unless bribed with the £billion pound contracts that HMG can no longer afford.

We still have disappointed pundits calling for a comprehensive "solution" at some-one else's expense. But that "solution" seems even further away than when the International Telegraphic Union met to agree codes and tariffs - over 150 years ago. What has been announced by DWP may, nonetheless, do rather more than "merely" provide a sensible basis for a workmanlike solution to the needs of DWP. It contains what some have called a "perverse incentive", whereby participants are paid to register and maintain each identity on a per active user, per annum basis  while users can sign up with more than one participant and the latter make more operational margin, at least during the trial, when those identities are use via another participant who is bearing the marginal cost of the "free" transaction.

I think it is not "pervrse" but rather clever. It gives participants a very real incentive to ensure that the inter-operability really does work. If the result serves to extend the current UK market lead in identity arbitrage (as practiced in financial services but not understood outside) into the public sector and into mass-market on-line applications, then it will have achieved far more than the £millions spent via the Technology Strategy Board or Framework 7.  

Between them the consortia appear to cover most of the bases. Some may even be able to cover all the bases - depending on the partners which which they are working.

Take a look at Toby Stephens Identity Privacy and Trust Blog for background on IDAP but he works for one of the players (arguably the most important) so it may be helpful if I (who do not work for any of them or their competitors) comment on those given modest (in HMG terms) funding to produce inter-operable services:

McAlpine and Petraeus: removing the illusions of Internet anonymity and privacy

| 4 Comments | No TrackBacks
| More
The news that Lord McAlpine's lawyers intend to identify and extract damages from those twats (shorter than twitterers) who down not own up and apologise brings an overdue dose of reality to the muddled debate on the "right" to be able disguise your identity over the Internet which is implicit in much of the opposition to Nominet's plans to clean up .UK . Meanwhile observers can also enjoy the belated US realisation of the de facto Internet regulatory regime they have created as they look at the means by which the cold war between the FBI and CIA was fanned into flames after one military "socialite" complained she was being "warned off" her prey by another.

How do you rebuild trust: whether in Banks, BBC, the Internet or a Regulator?

| No Comments | No TrackBacks
| More

The Newsnight debacle and the impending libel actions have not only dented trust in the BBC but also in the Internet as a source of reliable information on what is being kept from us and where comment is free. The challenge of Guido Fawkes to the Information Commissioner's appeals tribunal refusal to order the release of the list of those present at the BBC Climate change workshop which decided to replace impartiality by a "policy", by publishing it anyway also raises interesting questions of trust in the regulatory regimes for both Freedom of Information and Draft Protection.  

So how is trust rebuilt, once lost? A couple of days ago I blogged on the attempt by Nominet to rebuild Trust in .uk . I apologise that the blog was a bit long but it provoked a robust (and even longer) response from Paul Keating, retained to attend the consultation meetings to oppose the proposals. Do read his comments. You will better understand why I regard the topic as so important - and not one to be left to those whose business is the sale of domain names.

Last week I printed one of the more technical responses to my note of the planned competition for students on how we rebuild trust in the on-line world. Below is the response from the Head of Risk in the London offices of one of the world's largest banks. 

Those of you who have moved from 5 to 15 to 50 mbs broadband will have discovered that it does not always lead to significant improvement in delivered service. The causes are many and varied: from line quality, through PC security to "traffic management" at various levels.

At one level are the disputes beween those whose service appears to limp along at 1 - 2 mbs and engineers who say it is running at 5 - 10. There are also unexplained "pauses" in service supposedly running at 50. The causes of the former range from belts of interference on lines within the home or between the home and the exchange. The cause of the latter is often security products running scans or fighting each other. Increasingly users are switching off anti-virus, anti-spam, firewall or website filtering to stop them blocking wanted traffic or to improve response times.

Meanwhile those in rural or inner city areas would love to have the problem. In an interesting variant on the argument that the Internet helps families keep in touch - my son regularly visits us because he cannot get the speed in Wapping to watch live football from around the world (i.e. not just what is shown on Sky Sports and its competitors).  

Then there is the interplay between the various "traffic management" (alias queuing) systems used to ration the capacity of the physical (copper, fire or wireless) channels over which traffic flows and well as of routing and peering centres and the servers on which content resides. Here we see much specious argument about net neutrality or "lack of demand" between players who want to see investment (by others) to remove bottlenecks and players who wish to sweat (their) past investment. 

I was therefore very pleased to see that Ian Grant (usually focussed on problems with raw speed and/or procurement scandals) has blogged on what looks to have been a most interesting and informative meeting on some of the issues, albeit he has used the kind of doom and gloom (impending crisis) headline I commonly to use to try to draw attention to issues that are "too boring for politicians", but rather more important than those about which they obsess. This area is important.

It also needs to be put into the context of the need to converge (used as an active verb) investment in 21st century infrastructure, UK public sector procurement (particularly inter-operability standards and also the organisation and funding of UK participation in global standards activities). Here I would like to give a word of praise to BDUK and DCMS, instead of my usual carping criticism. Their support for an active and balanced UK participation in both the IGF and WCIT is most welcome. I look forward to seeing that kind of forward thinking leadership in other areas.    

 

When should we commemorate the centenary of cyberwarfare - or has it already passed?

| 2 Comments | No TrackBacks
| More

It causes surprise when I inform those who say that UK, EU or International legislation on electronic signatures and transactions is urgent that the first test case on whether a cable is an enforceable contract went to the New Hampshire Supreme Court in 1869 and their plans would undermine the basis of over a century of global electornic commerce. Those say e-crime is new and needs new laws are equally surprised that the first detected use of electronic interception for criminal purposes was in France in 1834, when Francois and Joseph Blanc were found to have bribed telegraph operators to give them news of stock exchange transactions. The first (and arguably most successful) global agreements on conduct in cyberspace (including charging rates, coding and security processes), derive from the International Telegraph Conference in 1865.

Should we count the start of cyberwarfare to May 1857 when almost the first act of the Meerut mutineers was to cut the telegraph lines - albeit too late for the Delhi office to send the news out over 6,000 kilometres of cable linking the main communications centres of India? Or from May 1863 and the Battle of Chancellorsville when Butterfield made the first battlefield use of telegraphic deception and interception and the subsequent failure of the Union telegraph systems when the Union armies were on the verge of success blinded Hooker and led him to turn victory into defeat. There is an early (but still most relevant) lesson here for those who rely on complex technologies sold to the military by those who have good connections in Washington (e.g. the Beardslee system) when simpler systems (e.g. Morse) are already in widespread commercial use.   

Or should we count the centenary of cyberwarfare to the first occasion when the battle would not otherwise have happened at all : December 8th December 1914 when 10 British Sailors and 2,200 Germans died after the German East Asia Squadron was lured to its doom by a false signal requesting them to destroy the wireless station at Port Stanley on their way home.  As with most cybervictories the winners deny it ever happened that way. British historians say that sending such a signal would have been against policy and quote Churchill as reprimanding Jellicoe for later mentioning in a telegraph that we had broken the German codes. However the need for a victory after Battle of Coronel and the source of the story ( Franz von Rintelen recalling an interview in the 1920s with Admiral Blinker Hall, who had unmasked him and was now retired) make it highly likely that political considerations had caused the First Lord of the Admiralty to over-ride his own policy (if had yet been written).   

My main point in this blog is to draw attention to one of the questions in the competition on improving confidence in the on-line world: what is really different about the Internet if anything? Or is it just the arrogance of youth believing that increasing volume, speed and complexity change everything and they should throw away the past in favour of the latest untried technobabble. If so, they may well face the equivalent of a re-run of the Battle of Chancellorsville as they turn victory into defeat and not the first Battle of the Falkland Islands. 

So we now know that Mary Whitehouse was right about the BBC

| No Comments | No TrackBacks
| More

The unravelling of the reputation of the BBC casts new light on the feud between Mary Whitehouse and Sir Hugh Greene . At least part of the BBC under Sir Hugh was indeed engaged in systemically corrupting the young and her rehabilitation may be under way, despite the continuing comments of apologists for the adolescent smut that often concealed genuinely predatory behaviour.

In reading the headlines on the protagonists we tend to forget that Mary Whitehouse became an activist because of her experiences as an art teacher responsible for sex education at a secondary modern school in Shropshire, which borders Clwyd - where the Wrexham cover up, probably to protect local rather than national reputations, is finally beginning to unravel. She represented blue collar, lower middle class England (and its values) against the metropolitan elite (and their values). The latter (and their champion,

Sir Hugh Greene) had to rubbish her, lest she destroy political support for the BBC's 1930s style license fees and arts subsidies as it fought back against the populist unsubsidised culture which had trashed its audience ratings by, for example, juxtaposing religion and music hall with a "faith" programme in the slot before Sunday Night at the London Palladium. Then there was "Robin Hood", that splendidly sustained attack on central government, scripted and produced by refugees from the Hollywood of McCarthy, with merry (not gay) men riding through a glen of freedom from tax, tithe and license fee collectors.  

We also forget that Hugh Greene was Head of German Services during that period when the BBC was described, along with the Times as one of two "truly world class propaganda machines, compared to which the Germans were mere amateurs". The record of the speach (in 1946) from which I take the quote, together with the rest of the career of Sir Robert Renwick (who received Britain's last hereditary peerage in return for not writing his memoirs, including his time as Churchill's head of electronic warfare, including organising the construction and supply of the equipment used at Bletchley) has been air-brushed out of history. Neither the BBC nor the Times reported the death of the driving force behind the creation of the CBI, the IoD and Independent Television. They had been deeply offended by what Sir Robert had intended as a compliment and swore revenge.

But we can also see the unravelling of the idea that the Internet as a whole (i.e. not just the BBC) is a source of truth. Those who followed the nudge, nudge, wink wink links to find the names being covered up found the names used by pederasts and their protectors to conceal their true identities. I fear that some of the predictions in my 2001 essay on the next forty years of business computing were only too accurate:

I have seen the online future - and it sucks: the time has come for customer revolt

| 2 Comments | No TrackBacks
| More

This morning I attended one of the consultation meetings on the Nominet proposals to reserve .uk. for those with a physical presence in the UK and to make address spoofing rather harder. The meeting was supposedly for public interest groups but much of the time was taken up by arguments against the proposals by a US lawyer hired by registrars who wish to perpetuate the dominance of the Internet addressing system by those whose business is selling domain names to the best payer: without regard to physical address, trading record,  whether they are to be used (and how, e.g. impersonation of those with a similar name or in support of fast flux), suppressed (including by large brands to prevent impersonation, parody or use by customer protest groups) or resold at a profit.

His clients appear to also be opposed to the improvement of security, apparently because it can never be perfect and therefore improvements would lead to false confidence.

I believe that if such arguments prevail, it will be only a matter of time before the overall Internet Addressing system is handed "back" to the ITU as an extension of telephone numbering in time for a world of ubiquitous computing in which most traffic will be over mobiles with security based on checking the physical address, sim card and/or geo-location

We should remember that the rise of the Internet as we know it was mainly because of the mess that the ITU made of X25 . The ITU is now in a more credible position because of its apparent success in handling IPV6 standards and its offer to "mediate" the types of patent dispute that destroyed RIM and threatened to derail the global move to smart phones. I fear that at WCIT the Western Internet community will win the battle but lose the war. Control over Internet addressing then will pass to national governments (including in the UK) unless current attempts to make it trustworthy succeed. The growing scale and nature of impersonation (both corporate and personal) and associate fraud and the tendancy of corporations to use civil law and tort (rather than criminal law) against those who fail to help them obtain redress mean the current situation is unsustainable. 

Hence the importance of putting the Nominet consultation into broader context - and having a large number of response from those who really do wish to improve confidence in the on-line world and get the other 70% of business transacting on-line.  

I am told that Nominet have so received 450 submissions. I fear that many, perhaps most, are from the registrar and ISP community - split between those who wish to preserve their current business models and those who wish to earn more from supplying genuinely trustworthy names. Meanwhile it is apparent that almost all outside the closed community are unaware that .co.uk does not mean the supposed business is based in the UK, or even has a physical address of any kind in the UK. This comes as a shock whenever it is mentioned.

As most readers will be only too well aware I am committed to improving trust in the on-line and in the UK as the best place to base a globally trusted on-line business. Hence the effort I am putting onto the competiton for ideas on how to achieve this. But neither will happen unless customers are able to make an informed choice to deal only with .uk domain names which mean what they say on the tin, linked to physical addresses with routines for enforceable redress when things go wrong.

Until that happens on-line business will continue to implode onto a small number of dominant brands which consumers think they  can "trust". Most of these (other than banking, insurance and travel booking) are parented in the United States with their EU operations based in Ireland or Luxembourg. This avoids liability UK regulation (e.g. that on consumer credit) and disputes resolution (e.g. County Court) as well as VAT and Corporation tax. The sums quoted by those opposing the Nominet plans are trivial by comparison. Hence another reason why HMG will not back down on the "polite" pressure it has put on Nominet to set its house in order.

The initial Nominet proposals are not perfect. How they should be packaged and implemented is not obvious. That is why there is such a long period for dialogue and response. I plan to blog again when I have got my head round the current state of responses, including the suggestions for reconciling and addressing the differences between those who genuinely wish to have a domain name system that serves the interests of society as a whole and gives a fair reward to registrars who verify the domain names to those who want us to trust them, give true anonymity to those who want it, and enable the rest of us to tell which is which. And when I say "verify" and "anonymise" I mean "with as much certainty as is reasonable in a world where nothing is certain for longer than it takes the minds of the Dark Market to find a way round".

So why am I so concerned with confidence in the on-line world - and why do I think the future currently in prospect sucks - unless, that is,  we have a consumer revolt against the internetties in their cyberghettoes?

The closure of our local NatWest Bank came as shock - then I read of a raid on the local Tesco barely a five days later. It became apparent that the response of Lambeth Police and Council to local policing, rather than the orignal incident, was the probable reason for the bank closure - and that Tescobank is unlikely to fill the gap. I fear that instead of spending my declining years in comfortable independence, with the support of easy to use, reliable, resilient on-line products and services to compensate for lack of mobility - I will starve to death, unable to order groceries for delivery by armoured Tescovan because my electronic credentials were hijacked after I visited Tesc0van by mistake or because I clicked on the link in an e-mail asking me to change my delivery schedule because ....     

Herding the sheep on-line to be fleeced - by closing even busy bank branches

| No Comments | No TrackBacks
| More

I trust on-line banking as far as I can throw it - which is not very far. It is not that I do not trust the security of the systems of the banks I use. I do not trust the security of the equipment I use to access their systems or of the mail service via which I receive their authentication devices and pins. I live barely a hundred yards from a busy high street in which Tesco, Sainbury's, Iceland and the Co-op, plus over fifty small shops compete for my business. When I moved in, fifteen years ago, it had four busy bank branches (counting building societies as banks) and one pawnbroker. Today it has one bank branch and three pawnbrokers (including payday loan, cheque changers and gold buying operations). It also has over a dozen small shops offering Western Union and other global money transmission services.

We had choice and I had accounts with all four of the banks/building societies - moving balances according to the interest paid. Then Abbey National closed what had been called "the most robbed bank in Britain" (it apparently overtook the RBS Branch next to Barlinnie after they spent a large amount making it open plan with no security). I closed my last (postal) account when Santander took over and the interest rate vanished even before the Banking Crisis. Then Nationwide closed its cosy little fortress. Rather than use their branches miles away in shopping centres I never visit, I now time pay-ins and anything complex for when I am in Central London.

Then two days ago I discovered  that the local Nat West Branch had not only been closed, permanently, "for health and safety reasons" with no notice to customers, but the cash machines had been removed. I contacted the local councillors and was told that the only information available was the report in one of the local free sheets which also contained their comments and those of the local MP.  That means I will have to adjust my next visit into Central London to include an opportunity to pay my VAT into a Nat West branch, because HMRC will not accept a cheque.

We complain of the difficulty of reporting electronic crime but Lambeth Police have long had a simple policy for cutting reported physial crime - shut down the means of reporting it. That allows them to report success against their crime reduction targets. I had not previously appreciated how efficient this is at also moving elderly victims online so that they can be fleeced more efficiently than mugging them in the street.  However, help may be at hand. I do hope that Tescobank reads this and takes note. Their local store is in that part of the High Street where their security guard (and those of the other supermarkets) provide mutual assistance. I also hope that Barclays, also in the "secure" area, next to the busiest bus stop, reads this and does a short order marketing blitz for local small firms business.     

It would be even better if we also had a regular physical police presence, with PACE paperwork done on the spot by Blackberry or Android and a ferry service to take those arrested back to fortress Brixton for same day trial and sentencing (or at least overnight detention and next day trial - as in the days of Peelite policing). Now that would be a good use of technology to support people processes.

   

How trustworthy is the on-line world? Some early responses

| No Comments | No TrackBacks
| More

The idea of a competition on the means of enhancing trust in the on-line world has struck a number  of chords. Some respondents focus on the need for behaviour change and I will blog on this later. Others have questioned of why so many services rely on "trust" products and services which many believe are damaged goods. Thus I have been asked why .gov.uk relies on SSL certificates provided from Utah by Comodo (Usertrust). That reader asked whether these were the cheapest, the only ones that assert they come under UK law (the policy say's it is Manchester-based), did DigiNotar eclipse the Comodo saga last year, or "is everyone so new they do not remember 2011". It may be, of course, that CESG has checked the scale and nature of the breach and been reassured. But have they? And how is trust, once lost, regained?

One of the points of leverage in improving the trust of your board, let alone your customers, in the organisations systems is the use of internal or independent audit to see who and what you are actually trusting and whether they really are trustworthy. In the private sector the most common qualifications required by organisations who are serious abour information security are those from ISACA (orginally the Information Systems Audit and Control Association, now extended to cover IT governance as a whole). This has over 100,000 members world wide and six chapters in the UK. The London chapter has over 2,500 members. Below is the response from Professor John Walker, who sits on the ISACA international practice guidance committee. He highlights how just one major weakness in practice (including on the part of some well known brand names) undermines much of the theory of "trusted" internet services. It is chilling - do not let an Internet savvy director read on unless accompanied by ....       

Has the sky fallen in on DWP's big bang implementation plans for Universal Credit?

| No Comments | No TrackBacks
| More

Is it a coincidence that I received a website reference to a DWP paper on identity fraud dated last February on the same day as the announcement of the departure of the programme director for the Universal Credit - with added speculation with regard to further changes?

The successful implementation of major programmes correlates almost exactly with the continuity of senior responsible owner from inception to live running. The DWP implementation strategy appears to have consistantly broken rules one (the centralised storage of vunerable and sensitive data),  two (network vulnerability) and three (creation of large numbers of disaffected staff) of the Skyfall guide for Ministers and Directors .

I find it interesting that none of the alternative, lower risk, ways of implementing the ministerial "vision" were ever seriously considered. I have always favoured devolving as much responsbility as practical to front line staff and giving them the tools to take a genuinely integrated view of the customers needs. In the context of DWP that would mean given them access to data matching systems that would mean enabling them to join up the care and benefits packages available to the human with whom they are dealing (idealy face to face) and also to record why they have decided not to abide by the recommendations of computer files that may well be weeks or months out of date with regard to the circumstances of those in most need of the flexible help with is supposedly integral to the vision. Another implication of this is to greatly remove vulnerabilities to the current £billions of "systemic" on-line fraud based on ID crime.

I will not bore you with my previous blogs such as "Is DWP herding the vulnerable online to be fleeced?" , "What is the difference between the National plan for IT and the Universal Credit?" and "A train crash waiting to happen ... " . I will just say that I too like the "vision" very much and hope that it is not too late to separate benefit from risk in the implementation. But doing so almost certainly requires changing from grandiose big bang to incremental change.  

Skyfall - Careers advice for brainiacs plus Ministers/Directors Guide to why Cybersecurity matters

| No Comments | No TrackBacks
| More

Yesterday morning, at the awards ceremony for the Cyber Security Challenge "Can you talk security" competition, our BT host described Skyfall as a blockbuster careers advice film for the brightest and best of the younger generation. He quoted the new "Q" describing James Bond as a dinosaur "I can do more damage on my lap top in my pajamas before my first cup of Earl Grey than you do in a whole year."  

Visit the Skyfall website and watch the clip of James Bond meeting his new Quartermaster. Those who bleat about the lack of realistic careers guidance should focus on joining up the dots on how Q got his job. They should also watch his chagrin when he learns that an old-time hacker (same vintage as James Bond) breaks his network security wide open. One of the supposed teenage hackers arrested during the investagation described in Misha Glenny's Dark Market was in his 60s, waiting for a hip replacement and asked to put his teeth in before he was taken to the police station.

But Skyfall does much more. It is also covers the three top tips that are missing from the CESG Executive Guidance on Cyber Security (and all other guides produced by mainstream security experts):

1) Do not put all the crown jewels in one database: whatever the claimed security etc.

2) Do not link all your networks together: whatever the claimed security etc.

3) Take good care of potentially disaffected former employees. They are your biggest weakness

CISOs who claim their Board does not understand the importance of cybersecurity should tell them to watch Skyfall with their grandchildren. The CISO should then be ready to lead a discussion on what "M" should have done in order to go out of office with pride - instead of seeing her reputation for competance trashed and having to retreat to a communications not spot to die in the arms of her favourite, but now ageing, toyboy.   

 

Enhanced by Zemanta

Rebuilding Trust in the On-Line World

| No Comments | No TrackBacks
| More

The collapse of the Internet and of mobile phone networks as Hurricane Sandy hit New York and New Jersey mirrors that when Katrina hit New Orleans. Trust is earned by those who deliver whatever the circumstances. The struggles of those who sought to keep their New York services going last week illustrate what that can mean. But how many "best efforts" services fall well short - and what are the implications as we move towards the always-on world of ubiquitous computing and the Internet of Things.

Widespread publicity for security compromises and the scale of on-line impersonation and fraud have led to a crisis of confidence in the on-line world in parallel with that in financial institutions as a result of the banking crisis and the scandals that have accompanied it. The financial crisis can be seen as a failure of information governance. The systemic weaknesses which enable criminals to organise computer assisted fraud arise from similar failures of technology governance. Such failures cross professional, cultural and regulatory boundaries. Now add the effects of the collapse of on-line banking and transaction systems, mobile phone networks, search engines or cloud services for hours, or even day on end when faced by fire, flood , severed cables  or even simple digititis (finger trouble) let alone major denial of service attacks .

Back in August I blogged on plans for a competition on "the meaning of trust in the on-line world" . The Ethical and Security panels of the IT Livery Company   have now held two linked round tables (one each)

By the end of the second meeting we had turned the question on its head: how do we enhance trust in the online world, given that we cannot (and probably will never) agree what trust actually or how it is gained across a truly multi-cultural and socially inclusive Internet - where most users do not accept the values of the Starship Enterprise

We also agreed that this is not a one off exercise and had turned our plans into a pilot for a three year project - which might well be extended if successful.  The draft definition of "success" for the pilot being:

  • Universities enhancing industry partnerships with participating employers
  • Students earning apprenticeships/internships/posts with employers they would not have considered
  • Good ideas for helping enhance the competitiveness of the UK/EU (we should not neglect the need to bring about attitudinal change among those who set the EU regulatory frameworks within which we operate) as a base of choice for globally trusted on-line products and services
  • Participants ready and willing to work together to build on what has been learned.

We are now galloping to get the pilot under way in time for the thousand or so masters students likely to produce relevant dissertations to attract support from potential employers. The first stage includes rephrasing and publicising the high level "question" because Masters students are expected to set their own questions and the issues can be addressed from a variety of perspectives, technical, behavioural, legal, ethical and cultural. More-over the supporters of the exercise have different objectives and the key to "success" will be to exploit the overlap so that these can be achieved at the same time as generating research and recommendations that will help bring about changes in attitudes and priorities and lead to effective action.

The framework below is therefore intended to stimulate discussion and thought. It is not intended to be the list of questions that the entrants agree with their supervisors and supporters.

The core question (dodged by almost all who look at the issues) is:

How do we bring about attitudinal and behavioural change: including by using technology to make it easier to follow good practice and harder to follow bad practice etc.?

Awareness and education programmes? Regulatory or compliance regimes? Civil or criminal law? Publicity? What are the roles of industry players, professional bodies, trade associations, self-regulators, statutory regulators, governments, auditors. Insurers? What are the roles of the technology and people processes in facilitating security, privacy, good practice, trust, by design/default?

The second question, at the heart of the original motivation for the competition is:

How do we enhance trust in the London, the UK as a location for globally trusted services and reap the rewards.

What is the role, if any, of the EU? How does improving on-line trust fit into the overarching objective of improving trust in the City/UK plc? Who (Financial Institutions, Government, Regulator, Professional Bodies, Trade Associations, Interest Groups) should do what?

Other high level questions might include:

How do you produce meaningful testing that deals with the claims made for the product or services i.e. not just tick box compliance with an "accreditation"?

Is improving trust that services will not fail (e.g. fire, flood, power or "failed upgrade" bringing down a system or network) more important than routines for reducing the risk of incidents (e.g. known or suspected security breaches)?

How could/should trade-offs between cost, privacy, resilience, reliability and security be handled?

How could/should "trust" be "arbitraged" across identity and transaction systems run by different organisations, in different ways and to different standards?

What is informed choice and informed consent? Does this change according to time/circumstance? Who can be trusted to ensure/record that choice was given, changed or revoked? Can consent be revoked?

There are, however, many subsidiary questions that also need to be addressed,

What is the meaning of Trust?

What are the determinants and components of trust - both on-line and off-line? Is there a difference and if so why? What is the current state of trust "ecosystems", including who trusts whom with their identity and/or personal information. How do we distinguish between exercising trust and being trustworthy. How do you build trust online? How do you rebuild trust after a failure? What about trusted technologies/devices? Is there a difference between trust at the wholesale level (institution to institution) and retail (institution to individual customer)?

What is the meaning of "My word is my bond" in the on-line world?

Who am I? - Issues of identity (personal, legal, etc.), registration, reliance, liability, authorisation, impersonation and anonymity: not only is identification irrelevant to many transactions but some market transactions require anonymity in order to avoid distortion.

What is my word? - Issues of authentication, translation, in a contractual, cultural and legal context. How is trust in "my word" affected by complex and conflicting product and service terms and conditions? Are these meaningful or enforceable? Would standard terms, streamlining, standardisation and  harmonisation improve trust?

What is my bond? Issues of responsibility, liability, governance etc. Does civil law, adjudicated in London, provide a better recourse against abuse than criminal law? Legislation covering the City of London Police is different to the rest of the UK. This enables cooperation across legal boundaries which cannot not organised elsewhere. How could/should better use be made of the consequent potential? What about the differences between common, roman, jewish and shariah law (bearing in mind that all are used in London)  and their attitudes towards on-line transactions?

What, if anything, is different about the on-line world and why? Multi-cultural, multi-lingual centres like London have been handling transactions between people who never physically meet for centuries. So what really is different: problems, threats and opportunities?

I will not go into the judging criteria in detail save that for round one they are those for a Masters Dissertation: a mix of information collection and analysis in support of an innovative answer to an interesting question. For round two is for presentations by those producing innovative answers which help the competitiveness of UK plc. There may be cash prizes in both rounds but "real" prizes in are the degree and contact with potential employers and/or research sponsors (in Round One) and publicity for student, university and industry supporters in addressing issues of concern to sponsors in (Round Two).

I welcome e-mails (to virgo.philip@eurim.org) from employers wishing to enhance their university and identify and support potential recruits. I also welcome e-mails from on-line banking, retailing, transaction, service and security providers who would like to use publicity for their participation to demonstrate that they take the protection of their customers and those in their supply chains seriously and also wish to ensure that the UK is a globally competitive base for themselves and their most reputable competitors.

I should perhaps add that I personally hope that most of the latter will also decide to join the Digital Policy Alliance with a view to using the material and ideas that emerge to help bulldoze out of the way the UK/EU regulatory overheads that do nothing to enhance trust and drive on-line transactions off-shore and out of the EU.

About this Archive

This page is an archive of entries from November 2012 listed from newest to oldest.

October 2012 is the previous archive.

December 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

Renata Hucks on Freedom of Information (a... : Do I have your permission to quote a few sentences...

 

-- Advertisement --